荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: "Roy Guo" <roy@szu.edu.cn>, 信区: Linux
标 题: Locking doors, latching windows
发信站: ShenZhen University (Sun Dec 5 19:28:45 1999)
转信站: ShenZhen-University!bbs.szu.edu.cn!not-for-mail
出 处: 210.39.3.71
Version Control
Keep those pesky script-kiddies out of
your system
Summary
Joe Barr talks with Craig Rowland about three
free products -- Logcheck,
HostSentry, and PortSentry -- that can keep your
systems secure from amateurs.
(2,200 words)
By Joe Barr
he problem: Let's say you're the owner of a small
business. You've put up a Website and
an e-mail server so that you can attract and
communicate with customers.
Like so many others, you've found Linux and Apache to
be the best combination of price and
performance.
You're there. You're cool. Things are working great.
Then one day it happens: You come to work and find
your server and desktop systems cracked
and their drives erased. A third system on the LAN is
fine because you shut it down before you
left the day before. If you hadn't, it would probably
be toast as well.
Evil-hearted crackers? A mad genius trying to make a
name for himself? Probably not. Probably
nothing more than a script-kiddie with a few tools
and nothing better to do on a school night.
How could it happen?
Well, it happens on the Internet just as it happens
in your hometown. Breaking and entering,
burglary, vandalism, and tagging: They all have
counterparts in cyberspace.
Your business is located at 123 Easy Street, in
Robust, Illinois. You advertise in the yellow
pages and, of course, you're listed in the directory,
so if someone wants to locate the business
all they have to do is look in the phone book or dial
information.
Your Website is located on port 80 of IP address
XXX.123.123.123. It's been online for a
while and you've managed to get it listed on a couple
of the big search engines. So if someone
wants to find you online, a quick search on Yahoo! or
Alta Vista will bring them to your front
door. Er, page.
At night, when you close the doors, you lock them and
give a tug to make sure they don't open.
You know the windows are securely locked because
you've checked them. If you're smart, you
also have a security system to sound the alarm if
someone breaks in.
But the Web server stays up 24-7. Or it did until
last night's visitors took it down, and took it
down hard. You probably don't have a security system
to detect break-ins. But you should.
Why?
Because electronic violations are both easier
and safer for the perpetrator
than physical ones.
Your place of business has doors and windows. Thieves
or vandals need to physically check
them to see if you've left one unlocked or if one can
easily be broken. They have to leave their
own place, go to yours, find a weak spot, get in and
out, and return without being detected.
Don't misunderstand me, I'm not trying to glorify
crime. But the successful execution of those
acts in the physical world requires a degree of
stealth, cunning, and skill that the electronic
equivalent doesn't.
Armed with just a few readily available tools, anyone
with fair to middling smarts and access to
the Internet can take down an unwary server and very
likely any boxes connected to it, without
ever leaving his chair.
A server is "cased" with a scanning tool. Just type
in the address of the intended victim and
press Enter. The scanner knocks at every door and
taps at every window, even looks down the
chimney to find an easy way in. It does this by
sending a request to as many ports as the cracker
likes.
If you take a look at the contents of the
/etc/services text file, you'll see a list of the
common services run on Linux and the ports normally
reserved for their use. A scanner checks
those ports one by one to determine what services are
available on your machine.
The responses it receives to various knocks and taps
may also reveal the operating system
you're running, whether it's Linux or Free BSD or
Windows.
Given this information, all the cracker needs to do
is match a known exploit to one of the
services found on your box. These too are freely
available on the Internet.
It doesn't have to be a 0-day exploit, either. Not
unless you, the owner, and the systems
administrator keep up with both the latest exploits
and the fixes for them as they become
available. For most of us, that means any exploits
found since the release of the distribution
we're running.
So, that's the situation. We're wide open to attacks
unless we take some steps to avoid them.
What should you do? LinuxWorld has had a couple of
great columns on this subject (see
Resources) by Michael H. Warfield, and I recommend
them highly if you need an introduction
to computer security on the Internet. They contain
not only good common sense that should
become a part of life online, they describe the sorts
of things that all of us can do to protect
ourselves against the great hordes of unskilled
crackers.
The solution
One of the steps that Warfield wrote about in his
LinuxWorld columns was adding protection
against port scanning. It turns out that the author
of some of the best-known self-defense
software, Craig Rowland, is a fellow Austinite. I
imposed on him for an e-mail interview.
Briefly, Craig's company, Psionic Software Systems,
provides three free (as in beer) programs,
and their source code, to anyone who abides by the
licensing terms. The programs, which make
up the Abacus Suite (see Resources), are Logcheck,
HostSentry, and PortSentry.
PortSentry would have slammed the door in the face of
the hypothetical attacker while he was
casing the box. Like a good deadbolt or a padlock or
strategic lighting, it won't stop everyone,
but it will certainly deter most script-kiddies.
PortSentry first detects unwanted intrusions and
then, in real time, routes all the traffic that would
normally be sent in response to their scans into a
bit bucket. Without feedback on what services
are available on your machine, the cracker is left in
the dark.
But let's hear more about all of this from Craig
himself.
LinuxWorld: Were you wearing a white hat or a black
one when you first got involved in
computer security?
Craig Rowland: No comment.
LW: What was the inspiration for the Abacus toolkit?
CR: The overwhelming reason was to create security
tools that would be simple to use and that
would detect a large number of common attacks. I got
frustrated seeing so many systems
compromised with a combination of simple exploitation
techniques and administrator ignorance
of what was happening with their hosts. The tools are
designed to help elevate the awareness of
the administrators so that even if the attack is not
stopped, they are at least in a position to know
something happened that they need to respond to.
The original tools were actually used at an ISP I
helped do security for. With a large number of
hosts and administrators with varying degrees of
security knowledge, it is a huge benefit to have
tools that tell you in plain English when there is a
problem.
LW: What tools does Abacus include?
CR: The publicly released tools include
Psionic Logcheck
Psionic PortSentry
Psionic HostSentry
Logcheck was the first publicly released package.
Logcheck combs through system audit trails
at specified intervals (usually hourly, as set up in
cron). It then looks for unusual or known
security events and mails them to the administrator
for further analysis and action.
Logcheck was largely inspired by a script I saw on
the TIS Gauntlet firewall by Marcus Ranum
and Fred Avolio called frequentcheck.sh. It did
quarter-hourly reporting of security events
on the firewall, and I really liked its simplicity. I
obtained permission from the authors to clone
the tool back in 1995. I rewrote the tool and made
some changes to the original logic to make it
work better for general system administration and
packaged it up to work on multiple platforms.
PortSentry was the second released package and was
started back in 1997 after I got tired of
having people scan the ports of systems I controlled.
PortSentry is a real-time port-scan detection and
response tool. It is designed to detect
attackers and stop the activity while notifying
administrators. It is surprisingly effective at
detecting and stopping many attacks cold. In essence
it turns your machine into a black hole
once an attack is seen and makes further intrusion
attempts from the attacking host almost
impossible.
Most people are surprised at how many probe attempts
PortSentry detects. A typical user on a
24-7 connection (cable modem, commercial user, etc.)
averages around two probes a day! The
Internet is truly a dangerous place for those not
paying attention to their computers.
I had for a long time been using TCP wrappers
combined with a custom script to drop the route
of people who hit the booby-trapped port. This worked
well, but I really wanted a tool
specifically designed to do the job.
I spent an evening coding the original prototype and
put it out on the Internet a couple of months
later. After that, many feature requests started
coming in and the tool began to expand from the
original, which only did full TCP port-connection
detection, to the current tool, which covers
just about everything, including all major stealth
scan types.
HostSentry actually started about the same time I
wrote Logcheck back in 1995-96.
HostSentry uses Login Anomaly Detection (LAD) to see
if a user login is suspicious. Basically,
it attempts to use existing usage patterns and known
intrusion practices to spot accounts that
have had a compromised password. This is especially
useful in catching accounts that have had
passwords sniffed (which is one of the most common
ways to break in to a host).
The HostSentry tool was actually just called LAD in
the beginning. It was written after I was
called in to help clean up a security incident. A
user had his account compromised off a sniffed
POP3 password. I wrote the original prototype in C in
a couple of evenings and used it to track
system users and spot other compromised accounts. It
was surprisingly effective at helping clean
up the mess. I let the project rest for a couple of
years and resurrected it by rewriting it in
Python (my favorite programming language BTW).
The tool currently monitors a number of activities
associated with logins and will have reactive
capabilities added at a later date.
LW: Do you plan to go commercial?
CR: There are no immediate plans to do this.
LW: Do you think white hat crackers/hackers like CdC
and others help or hurt computer
security?
CR: I'm neutral on this whole issue. There are
benefits and drawbacks on both sides of the
topic. I'd just say it's a personal choice and both
decisions are more or less equivalent as far as
overall utility goes. Personally, I don't release
attack tools to the public.
LW: Is Linux more vulnerable to attack than other
operating systems because it is open source?
CR: Yes and no. Having source code allows those
wishing to do damage an easier means to
find a problem. At the same time having source allows
others to find problems a lot faster and
issue fixes before they become a nuisance. For
technical people, open source code is a
tremendous benefit for customizations, auditing, and
knowing exactly what a piece of code is
going to do without having to guess.
The biggest problem for open source code is not
knowing when to quit and start from scratch
again. There are many legacy programs and network
daemons that fall victim to this. I think
many security problems could be avoided if new code
could be written using accumulated
knowledge from the past implementation rather than
fixing the latest attack and hoping that
somewhere else in the old code the same mistake
wasn't made again (which it normally is). This
affects the entire software industry though; Linux is
just the most pointed-to case because it is so
popular and the development community is so large.
LW: Thanks, Craig!
OK, so there you have it. If you're like most of us,
you are probably not defending your site as
well as you should be.
Run, don't walk, to the Psionic site and start
downloading some protection.
Discuss this article in the LinuxWorld
forums (1 postings)
(Read our forums FAQ to learn
more.)
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店